Six Steps to Help SMBs Avoid Online Fraud, Financial Loss

Share this:

Another easily preventable cyber heist on small business (SMB) was reported this week by Brian Krebs. Primary Systems Inc. had $180,000 stolen from their coffers after thieves compromised their online banking by adding 26 “new” employees to the payroll and transferring funds ranging from $5,000-$9,000 per individual.

In reading the article, I find it simply fascinating that so many processes and controls that should have been in place were simply were overlooked, avoided or not understood at all. It made me immediately thing of the sinking of the Titanic and how it wasn’t just one issue (an iceberg in the ocean), but rather a series of unfortunate and avoidable events.

For Primary Systems and their bank, St. Louis-based Enterprise Bank & Trust, there are some simple, clear lessons that all small business owners AND banks need to understand.

Train employees to be aware of phishing attacks. The attacks started when a Primary Systems employee clicked on a malware-infected email.

Confirm IT staff has up-to-date cybersecurity training. Primary Systems staff relied on firewalls and antivirus systems to protect their corporation — a basic first defense, but hardly a proper layered security effort.

Realized adding 26 new employees to the payroll, and executing a transaction in the middle of a Tuesday night, was not a typical transaction for Primary Systems (they execute payroll on Fridays)

Flagged virtually every one of the new employees who had different out-of-state addresses; all Primary Systems employees were located in-state

Inquire about a bank’s audit status with the FFIEC compliance standards. Enterprise Bank & Trust allows customer to transfer up to $200,000 with only username and password as security control. This seems to fly in the face of both the 2011 AND 2007 FFIEC guidance for online banking.

Take advantage of positive pay or dual security controls offered by your bank. Unfortunately, Primary Systems declined to use the service offered by their bank.

Understand your financial risk and liability as a small-business owner. Primary Systems assumed they were covered by EFTA Regulations “E” where banks are liable for losses due to fraud. Unfortunately, Reg. “E” only covers retail customers.

While I know that small-business owners wear many hats and are pulled in many directions, I hope they can take 15 minutes to do a little “homework” and benefit from the lesson Primary Systems learned the hard way.

IdentityOn Blog

Entrust has been at the forefront of the identity-based security market for nearly two decades. Our identity-based security solutions secure governments, enterprises, and financial institutions in more than 5,000 organizations spanning 85 countries.